UI terminology for calculated validities

Hauke Laging mailinglisten at hauke-laging.de
Fri Apr 25 04:49:30 CEST 2014


Am Do 24.04.2014, 11:13:22 schrieb Peter Lebbing:
> I think "authenticity" covers the overtones much better than
> "validity", now that you mention it. It even makes me wonder why it
> wasn't chosen in the first place :). You have convinced me that it is
> the better term to use.
> 
> I'm not enthousiastic about "ownership", because it feels like a
> synonym to "User ID" in OpenPGP context.

I second that. "Ownership" is much to close to "ownertrust".

But I would also point out that "authenticity" sound very much like 
"this key is authentic" which is a problem for at least two reasons:

a) Many keys are certified without being verified. This is IMHO not so 
much a problem if this is transparent. Think of --ask-cert-level. BTW: I 
really don't like the --min-cert-level default to be 2 because this 
forces the users to either ignore this level (setting 0) or to "lie" 
which also reduces the "authenticity".

b) There are user IDs with which it becomes strange to speak of 
"authenticity". E.g. if it is only an email address 
(sevgseuiuzh at example.org).

Certifying a key (especially if locally only) is more a technical 
decision than a proof of "authenticity. But I doubt that "validity" vs. 
"authenticity" makes a difference in this regard. The German term for 
valid does not sound like that to me.

Thus I would like to offer "accepted" as a possible alternative. I guess 
that shows the user decision. Maybe even as a combination: "authenticity 
accepted".


Another point:
Is it a good idea to use the same terms for both the key itself and user 
IDs? The terminology should make sense to non-technical people 
especially from the perspective that a "valid" key (certificate) can 
contain "invalid" user IDs.

As different keys (especially fake ones) can contain exactly the same 
user ID it seems strange to me to apply the term "authenticity" to a 
user ID. The key is authentic for this user ID (in contrast to other 
keys which may have the same).

Even worse: Even an invalid (but formerly valid) key is still 
"authentic". At least from my understanding of language. "Accepted" does 
not have this problem (neither "valid").

We could say: An accepted user ID makes a key valid. Certain additional 
steps during accepting (certifying) – like --ask-cert-level or (yet to 
be defined) signature notations – MAY make the key not only "valid" 
(technical part) but also "authentic" (organizational part).

In order to help people use crypto right the terminology should help the 
people become aware of important differences – like validity and 
authenticity. Speaking of "authenticity" only may support the creation 
of an illusion of security.


Maybe we are not even the right group to discuss that. Maybe that should 
be discussed by new users after being told about the technical and 
organizational states which the language shall easily understandably 
represent.


Hauke
-- 
Crypto für alle: http://www.openpgp-schulungen.de/fuer/unterstuetzer/
http://userbase.kde.org/Concepts/OpenPGP_Help_Spread
OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20140425/1249adea/attachment.sig>


More information about the Gnupg-users mailing list